| V-258586 | High | The ICS must be configured to use TLS 1.2, at a minimum. | Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
NIST SP... |
| V-258589 | High | The ICS must be configured to use multifactor authentication (e.g., DOD PKI) for network access to nonprivileged accounts. | To ensure accountability and prevent unauthenticated access, nonprivileged users must use multifactor authentication to prevent potential misuse and compromise of the system.
Multifactor... |
| V-258588 | Medium | The ICS must be configured to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Organizational... |
| V-258585 | Medium | The ICS must be configured to limit the number of concurrent sessions for user accounts to one. | VPN gateway management includes the ability to control the number of users and user sessions that utilize a VPN gateway. Limiting the number of allowed users and sessions per user is helpful in... |
| V-258584 | Medium | The ICS must display the Standard Mandatory DOD Notice and Consent Banner before granting access to users. | Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is consistent with applicable federal laws,... |
| V-258591 | Medium | The ICS must terminate remote access network connections after an organization-defined time period. | This SRG requirement is in response to the DoD OIG Audit of Maintaining Cybersecurity in the Coronavirus Disease-2019 Telework Environment.
Best practice is to terminate inactive user sessions... |
| V-258596 | Medium | The ICS must be configured to disable split-tunneling for remote client VPNs. | Split tunneling would in effect allow unauthorized external connections, making the system more vulnerable to attack and to exfiltration of organizational information.
A VPN hardware or software... |
| V-258597 | Medium | The ICS that provides a Simple Network Management Protocol (SNMP) Network Management System (NMS) must configure SNMPv3 to use FIPS-validated AES cipher block algorithm. | Without device-to-device authentication, communications with malicious devices may be established. Bidirectional authentication provides stronger safeguards to validate the identity of other... |
| V-258583 | Medium | The ICS must be configured to ensure inbound and outbound traffic is configured with a security policy in compliance with information flow control policies. | Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traffic may transit a network, which uses bandwidth... |
| V-258595 | Medium | The ICS must be configured to use an approved Commercial Solution for Classified (CSfC) when transporting classified traffic across an unclassified network. | Use of weak or untested encryption algorithms undermines the purposes of using encryption to protect data.
The National Security Agency/Central Security Service's (NSA/CSS) CSfC Program enables... |
| V-258592 | Medium | The ICS must be configured to send user traffic log data to redundant central log server. | The aggregation of log data kept on a syslog server can be used to detect attacks and trigger an alert to the appropriate security personnel. The stored log data can used to detect weaknesses in... |
| V-258594 | Medium | The ICS must be configured to authenticate all clients before establishing a connection. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity.
For ICS, user authentication uses authentication servers, realms,... |
| V-258593 | Medium | The ICS must be configured to forward all log failure events where the detection and/or prevention function is unable to write events to local log record or send an SNMP trap that can be forwarded to the SCA and ISSO. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an... |
| V-258590 | Medium | The ICS, when utilizing PKI-based authentication, must be configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly trusted. To meet this requirement, the... |
| V-258587 | Low | The ICS must be configured to generate log records containing sufficient information about where, when, identity, source, or outcome of the events. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
VPN gateways often have a separate audit log for... |
